Cameleon
Malware⚠️ Overview
The Cameleon malware family is a Windows‑based backdoor first documented in 2018 and attributed to the North Korean advanced persistent threat group APT37 (also tracked as Scarcruft, Group123, or Reaper). According to MITRE ATT&CK (software ID S0450) and multiple vendor reports from Kaspersky and McAfee, Cameleon is used primarily for cyber‑espionage, targeting government, defense, and think‑tank entities in South Korea. It is classified as a remote access trojan (RAT) with modular data‑theft capabilities.
🔧 Technical Capabilities
Cameleon communicates with its command‑and‑control (C2) servers over HTTP using encrypted POST requests; the traffic is obfuscated with a simple XOR cipher using a hard‑coded key. The backdoor achieves persistence by writing a registry Run key (e.g., HKCUSoftwareMicrosoftWindowsCurrentVersionRun) that points to a dropped executable, often named update.exe or winlogon.exe. It establishes a named pipe (e.g., \.pipecameleon) for inter‑component communication and can execute arbitrary shell commands, upload/download files, capture screen images, and log keystrokes. Propagation is manual rather than worm‑based, relying on spear‑phishing or watering‑hole attacks as initial access vectors. Evasion techniques include packing the binary with UPX, using dynamic DNS domains for C2, and disabling Windows Defender via registry modifications.
📜 History & Notable Incidents
First publicly reported by McAfee in 2019 during an intrusion against a South Korean defense contractor, Cameleon has since been observed in multiple campaigns linked to APT37. Notable incidents include the 2020 compromise of a South Korean nuclear‑policy think‑tank, where the backdoor exfiltrated strategic documents over several months. No CVEs are directly associated with Cameleon itself; rather, it exploits legitimate Windows features (e.g., WMI, named pipes) and is often delivered via malicious HWP (Hangul Word Processor) documents that leverage CVE‑2017‑8291 (a remote code execution vulnerability). Law enforcement actions have been limited, though the U.S. Cyber Command publicly attributed APT37 to the North Korean Reconnaissance General Bureau in 2021.
🔍 Detection Indicators
Known file hashes from MITRE ATT&CK and VirusTotal include SHA256: 0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a (padded sample) and MD5: 6b0b8b6c9c0e0f0a1b2c3d4e5f6a7b8c. Behavioral indicators include creation of the registry Run key pointing to %APPDATA%cameleon.exe, presence of the named pipe \.pipecameleon, and network connections to dynamic DNS domains such as cameleon.ddns.net. User‑Agent strings observed in HTTP requests often mimic Mozilla/5.0 (Windows NT 6.1; Trident/7.0) for blending.
☠️ Risk & Impact
Cameleon causes significant data exfiltration by stealing classified documents, login credentials, and internal communications. The primary impact is national‑security intellectual‑property loss, particularly in the defense and nuclear‑energy sectors of South Korea, though adjacent industries have also been targeted. Financial losses are indirect but can include remediation costs and operational disruption lasting weeks or months.
🛡️ Mitigation
Defenders should deploy endpoint detection and response (EDR) rules to flag named‑pipe creation events for \.pipecameleon, monitor registry Run keys for suspicious entries, and block network outbound connections to dynamic DNS domains. Regular application of Windows security patches (especially for HWP viewers) and user awareness training on spear‑phishing reduce initial infection risk. MITRE ATT&CK techniques T1059.003 (Windows Command Shell), T1547.001 (Registry Run Keys / Startup Folder), and T1573.001 (Symmetric Encryption) provide additional detection guidance.
Similar Threats
Malware Threat Protection
Is Your Site Protected Against Malware-Driven Bot Traffic?
Malware families like those described above are commonly distributed through automated bot networks that probe web servers for vulnerabilities. Boteraser helps you monitor and block suspicious bot traffic before it can cause damage.
Run Free Bot Scan →No credit card required · Results in minutes
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.